
Europaisches Patentamt 
European Patent Office 
Office eur p4en des brev ts 




(Ti) Publication number : 0 668 579 A2 



EUROPEAN PATENT APPLICATION 



2i) Application number : 95300665.7 
g) Date of filing : 02.02.05 



@ Int. ci.«: G07F 7/10, G06F 17/60 



@ Priority : 08.02.94 US 194186 

@ Date of publication of application : 
23.08.95 Bulletin 95/34 

(S) Designated Contracting States : 
DE ES FR GB IT 

@ Applicant : AT & T Corp. 
32 Avenue of the Americas 
New York, NY 10013-2412 (US) 



@ Inventor : Claus, David MIcliael 
7660 Broolcview l.^ne 
indianapoiis, Indiana 46250 (US) 

@ Representative : Watts, Cliristopher Malcolm 
Kelway, Dr. 
AT&T (UK) Ltd. 
5, Mornington Road 
Woodford Green Essex, IG8 OTU (GB) 



@ Secure money transfer techniques using smart cards. 

(57) Systems and methods for providing secure 
electronic financial transactions characterized 
In that money is electronically stored on a 
plurality of smart cards. A plurality of smart 
cards are each equipped with an electmnic 
security wall having a closed state and an open 
state. In the closed state, the smart card Is 
disat)led from participating in financial transac- 
tions, and in the open state, the smart card may 
participate in financial transactions. A security 
key smart card is equipped with a first securi^ 
key for changing the state of the electronic 
security wall ^m the open state to the closed 
state, and a second security key for changing 
the state of the electronic security wall from the 
dosed state to the open state. Financial trans- 
actions include, for example, electronically 
transferring money between a bank center and 
a smart card ; electronically transferring money ^ 
t>etween the first and second smart cards; 
checking the amount of money stored on a ^ 
smart card ; and adding interest to the amount l«« 
of money stored on the smart card. 
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Technical Field 



This invention relates generally to smart cards, and more particularly to systems and methods for providing 
secure money transfers between smart cards and financial institutions. 

Background of the Invention 

Recent developmental efforts have been directed towards using ^'^'''^''^J^^^^ 
and transfer of money (Smart cards are credit-card-sized devices which include an on-board microprocessor 
a 2S^mtyOUs"gL?t^nicmoneyinpiace of conventional 

sons It is often cumbersome and inconvenient to carry around large amounts of money ^t^'tl^.^t^"^ 
e^-peLntri^ 

JoL merchants may accept personal checks, the processing of these transactions often proves to be very 
tImTconsuming. In practice' existing check verification procedures of ten involve a t-e^^^J -^^^^^^^^^^ - 
noy. irritate, and/or frustrate customers who are waiting in line at the merchant « P^.'"'-^^-^^'^^ 'f"^'"^'^^^ 

WUh existing state-of-th^art technology, it is possible to use smart cards as devices on vvhich to eledron- 
icallvs^ore and transfer money. However, a system which does nothing more than electronically store and 
ra iermoney il'ot practical for use In many real-world applications. As with any -^f>--J^^^X 
transfer system, security breaches are possible. If the conceptof electronic money J^f^f^^^.^S^^^^^ 
cepted.elLronic money cannotbelostbythe application providers orbyotherpart^^^^^^^^^ 
or cust^ers Although a certain amount of electronic money loss is acceptable and inevitable, these losses 
ITbress't^JSurrtlossesexperiencedwithcredi^ 

measures do not provide an electronic money system having the requisite level of security. 

Tx^tU smart card devices are not completely invulnerable to failure. For exampte. the smart card ho^de 
could forgSto remove the smart card from his or her pocket, and run the card through an entire -^^^^^^'^^ 
Sde. exposing the card to heat, mechanical vibrations, water, and chemically ^.^^^^'^J^^^^^f '^^^^^^^^ 

and deterqent which could result in a snmrt card failure. Upon device failure, the hapless smart card holder 

: ds uZin the amount of money stored on the now-defunct card. "-f^^j^^^^^^ 
applicable to smart cards that have become Inoperable, so that the smart card holderdoesnotsufferafinanc«l 

" •'^rnrsS^iMrartelectronlcflnanol^ transaction s^^^ 

of privacy stems from the fact that current system architectures offer paid interest ^;^>°' ^'^^f^^';' 
^o^BtoZ cards As a result, those customers who desire privacy must pay in cash in order to attain transact 
toranonrmTty S^ce conventional paper money offers virtual anonymity, the concept of electronic money 
Sldpr3easfl"rdeg^ 
upon customer request 

Summary of the Invention 

systems and methods for providing secure electronic financial transactions ^'^f^^^ J^^J^ 
monetery value is electronically stored on a card which includes an electronic secunty lock having a closed 
Ttete an7an open state. In the dosed state, the lod< disables the smart card from transfemng any of the mon- 
eSfy vaUie and in the open state, the smart card Is equipped to transfer all or a portton of the r^nft^/y^J^^ 
??e smlrt ;a,d indudes an electronic security key for changing the state of the electronic «e°""^y to^^^^^^ 
the op^n state to the dosed state, and for dianging the state of the electronic security lock from the closed 
state to the open state. 



10 



IS 



20 



25 



35 



40 



45 



Brief Description of the Drawing 

50 FIG 1 is a block diagram showing a secure smart card money transfer system; 

RG. 2i^a chart which describes a secure financial transaction between two smart cards; 

FIG. 3 is a flowchart which sets forth the operational sequence for implementmg a secure smart card f 

JSlira"^^^^^^^^ comprise a flowchart which describes the steps of a cardholder-to-cardholder 

. fTgTS a"nd 58 together comprise a flowchart which sets forth the procedure for updating/changing se- 
curitv kevs. and for adding interest to money stored on smart cards; ^ 
6 is^ Wodc diagram showing the data structures which are transferred from a first smart card to a 
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second smart card during a financial transaction; 

FIG. 7 is a block diagram describing the data structures us d by user smart cards; and bank smart cards. 
Detailed Description 

5 

Techniques are disclosed for the secure transfer of a monetary value (herein after "money") between smart 
cards. FIG. 1 is a block diagram setting forth hardware components and data structures for a smart card secure 
money transfer system. This system also provides for adding interest payments to money stored on a smart 
card, and for checking the amount of money (account balance) stored on a smart card. Activities such as the 

10 transfer of money between smart cards, adding Interest payments to a smart card, and checking account bal- 
ances are referred to as financial transactions. 

Smart cards 102, 104 are provided to a plurality of cardholders, including a first smart card 102 provided 
to a first cardholder and a second smart card 104 provided to a second cardholder, each smart card 102. 104 
being capable of participating in one or more financial transactions involving electronic money stored on the 

15 smart card. The first cardholder may be, for example, a bank, a merchant, or a consumer. Independent of the 
identity of the first cardholder, the second cardholder may be a bank, a merchant, or a consumer. If a cardholder 
is a merchant or a consumer, the smart card held by this cardholder is referred to as a user smart card. 

If a cardholder is a bank, the smart card provided to the bank is termed a bank smart card. Banks may be 
organized into a plurality of regions, each region consisting of one or more branch banks. In this situation, three 

20 subtypes of bank smart cards may be utilized, such as bank center smart cards, bank region smart cards, and 
bank branch smart cards. Bank center smart cards are used to provide one or more electronic security keys 
to other smart cards, such as other bank smart cards, smart cards held by merchants, and/or smart cards held 
by consumers. These security keys may be updated (i.e., periodically changed) to allow and/or to disallow the 
transfer of money to/from a smart card. 

25 Bank center smart cards are used to provide interest payments to other smart cards, such as to other bank 

smart cards and to user smart cards (cards held by merchants or consumers). Interest payments can be im- 
plemented in a hierarchical manner with respect to a predefined smart card hierarchy. For example, a bank 
center smart card may be employed to provide interest payments to bank region smart cards. Similarly, the 
bank region smart cards may be used to provide interest payments to bank branch smart cards, which, in turn, 

30 provide interest payments to smart cards held by consumers and merchants. Thus, the smart card hierarchy 
in this example is structured such that a bank center smart card is at the top of the hierarchy, followed by bank 
region smart cards and bank branch smart cards. User smart cards are at the bottom of the hierarchy. The 
mechanics of interest payments will be described in greater detail hereinafter with reference to FIG. 1. 

Each smart card 102, 1 04 contains the data structures and hardware blocks described below in conjunction 

35 with FIG. 1 , irrespective of whether the smart card is a user smart card or a bank smart card. Each smart card 
1 02, 104 contains a security key storage register 112, 1 28, respectively, for the storage of an electronic security 
key. The security key storage register 1 1 2, 1 28 may be provided in the form of random-access memory (RAM). 
The security key register 112, 1 28 is coupled to a security key register input device 118, 124, respectively, which 
is adapted to accept Input from a smart card reader network 106. In this manner, an elecb-onic security key 

40 may be transferred from the smart card reader network 1 06 into the smart card security key storage register 
112. The security key register input device 118, 124 is equipped to accept input data in accordance with pre- 
sently-existing smart card data input/output (I/O) techniques well-known to those skilled in the art. 

A security key register output device 114. 130 is coupled to the security key storage register 112. 128, re- 
spectively. This output device 114, 130 is equipped to copy the contents of the security key storage register 

45 112. 128. respectively, into the smart card reader network 106. The security key storage register 112, 128 is 
coupled to a first input of a security key comparison device 110. 126. respectively. A second input of the security 
key comparison device 110, 126 is connected to a security key comparison input device 116, 122, respectively. 

The security key comparison device 110, 126 is equipped to compare the first input with the second input, 
and to generate a signal at a comparison device output, such that the generated signal is based upon the results 

so of the comparison, ff the first and second inputs are identical, the security key comparison device 110, 126 
generates a match signal at the comparison device output. If the first and second inputs are not-Wentjcal, the 
security key comparison device 110, 126 generates a no-match signal at the comparison device output 

The comparison device 110, 126 output is coupled to an electronic security lock 108. 120, respectively. 
The security lock 108, 120 may be placed into any one of two mutually-exclusive states. In a first, locked state, 

55 the security lock 1 08. 1 20 disables the smart card 1 02. 1 04 from transfemng money to another smart card. In 
a s cond. unlocked state, the security lock 108, 120 permits money to be transferred to another smart card. 
The security lock 108, 120 is coupled to the output of comparison device 110. 126. respectively. When the conv 
parison device 110, 126 produces the match signal, the security lock 108, 120 is placed into the second, un- 

3 
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locked state. The security lock 108. 120 is placed into the first, locked state upon receipt of a no-match signal 

^e^3oTof ttlTcilil'security lock 108. 120 and security key comparison device 110. 126 may 
be i^Sfemenr usln a Microprocessor device of the type well-known to those sMIed in the art - "J^ed 
in various existing smart card designs. The functions of the security key storage register 112. 128 "^av ^eim 
Dlemrted uS^^^ described above, and/or such a register may be provided ,n the form of 

random acceTmemo^^^^ The security key register input device 118. 124. the secunty key cornpanson 
nput devTce 16 122. and the security key register output device 114. 130 operate 7^;^*^/ 
above-described microprocessor, and may be Implemented using conventional smart card data ^'O 
wSprrvSeforrheexWofdatabetweenasmartcardlO^^ 

conventional smart card data I/O devices and smart cards 102. 104 are well-known to those skilled m the art 
SmTcardTeader network 106 comprises a configuration of two or ---^-^ -J/^^.^ 

ports, such as a first smart card reader port 1 41 and a second smart card reader port J-^t and s^^^^^^^^ 
J ^ ..^rto iA'^ arp nf tvDe well-known to those skilled m the art, to permit suDstaniiaiiy 

Te^a a rtrSSte Tocatlon with respect to second smart card reader port ^^-^^^J'^^^^^^^^^ 

smart card reader ports 141. 143 are linked together over a communications link 150. In the case where smart 

the data^nput means 149 of smart card reader port 141 is linked to the data output means 147 of smart card 

"^'heTow of data between smart card reader port 141 and smart ca«l reader port 1« -^'^J^f, 
by anoptional smart card readermicroprocessor internal to thesmartcard^aderne^^^^^^^^^^^^ 

Jader^i^oprocessorisofatypewe.^^^^^^^^^^ 

is not used, the microprocessors within the smart cards i u^, i w are emniuy e« 

tronic security key to data input means 149 of smart card reader network 'f^^^^^^^^^^^^^"^ 
♦« fha fh,ta oiitout means 147 and conveyed to security key companson input device 122 of smart cara ^w. 

Cse^X k^J^^n d'ice 126 retrieves the security key stored in security key storage reg«ter 
1 28 sm^Sd 104 If the comparison device 126 ascertains that the security key received from smart c^rd 
S n^Ihes "e security key stored in the security key storage register 128. the ^'^-^T- -^[1*^ ^^^^^^^ 
Ihin smart card 104 is unlocked to enable smart card ^O^'o Participate in one or more m^^^^^^^ 
with smart card 102. tf. however, the security key retrieved from security key storage regis er does not 
malr^^s^lty key received from smart ca«l 102. smart card 104 is disabled from participating in all f i- 

"^"The"Sy comparison process im^emented 

102. smart card 104 retrieves the security key stored in secunty key storage reg«ter 1 28 j^^^^^^^^ 
security key to security key register output device 1 30. The --nty ^ey .s JL^ for^^e^by date 

of smart card reader network 108. and sent to data output ""^f ^^^^^^^^^^ 
output means 145 to security key comparison input device 116 of smart ^^ ^ ^ 02. Secunty ^^P^" 
input device 116 sends the security key to security key companson device 110. "^^^"^J''^;'^^^^^^""*^^^^ 
stored in security key storage register 112 is sent to security key seS 
kpv from storaae reaister 112 is compared with the security key received f njm smart card 104. If t"ese securuy 
TZl Z^TS^^eyiZ^son device 110 provides an "unlock" signal to electronic seounty lo<* 1 08 
whS^SliSthe secJity U pem^itting smart card 1 02 P^^^^^'P^fJ" ^^^^^^^^ 

with smart cam 104. If. however, the security keys do not match, companson device 110 provides a lock signai 
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to electronic security lock 108. Electronic security lock 108 responds to the lock signal by disabling smart card 
102 from participating in any financial transactions. 

In the above-described example, the electronic security locks 108. 120 of both smart cards 102, 104 must 
be unlocked in order to permit a financial transaction to take place between these smart cards. If the above* 
5 described exchange of security keys results in the locking of one or both of the electronic security locks 108, 
120, no financial transactbns can take place between smart cards 102 and 104. 

The example set forth above assumes that each smart card 1 02. 1 04 contains one security key in security 
key storage register 112, 128, respectively. Howeyer. the example of one security key was described for ease 
of illustration. Any desired number of security keys may be employed to meet the requirements of specific de- 

10 sign applications. According to one embodiment set forth herein, each smart card 102, 1 04 employs four se- 
curity keys which are stored in security key storage register 112, 128, respectively. Security key comparison 
device 110 compares all four security keys stored in smart card 102 with all four security keys received from 
smart card 1 04. Similarly, security key comparison device 1 26 compares all four security keys stored in smart 
card 104 with all four security keys received from smart card 102. If at least two of the security keys match, 

IS the respective electronic security lock 108, 120 is unlocked. If less than two of the four security keys match, 
the respective security lock 108, 120 is locked. 

In the emtx)diment which utilizes four security keys per smart card, the security keys can be updated and/or 
changed to provMe improved system security. Bank smart cards are used to update/change the security keys 
stored in user smart cards. More particularly, assume for purposes of this illustration that smart card 102 is a 

20 bank smart card. Bank smart cards are equipped to retrieve a security key from the bank smart card security 
key storage register 112 and convey the key to the bank smart card security key register output device 114 
(user smart cards are also so equipped). The output device 114 sends the security key to data input means 
149 of smart card reader network 106, along with a bank smart card signal which serves to klentify bank smart 
cards from all other types of smart cards, such as user smart cards. 

25 The security key and the bank smart card signal are conveyed to data output means 147. The micropro- 

cessor of smart card 104 recognizes the bank smart card signal at data output means 147 and, in response 
to this signal, places the security key at data output means 147 into security key storage register. When the 
newly-received security key is placed into security key storage register 128, it replaces one of the previously- 
existing security keys stored in register 128. In this manner, transactions between user smart cards and bank 

30 smart cards are used to update/change one or more security keys in user smart cards. The security keys are 
changed from time to time to provide an enhanced measure of security. The keys can be changed periodically, 
i.e., at regular time intervals, or, alternatively, the keys may be changed at random time intervals, if desired. 

The smart card money transfer system of FIG. 1 utilizes three types of software. These are exchange soft- 
ware, interest/key update software, and administration software. Exchange software (for example, the pro- 

35 gram referred to hereinafter as EXCH.EXE in FIG. 7 (702)) enables nrK>ney to be transferred from one smart 
card to another. Interest/key software enables interest payments to be made to a smart card, and administra- 
tion software enables the performance of various administrative functions. These administrative functions 
may include, for example, updating a file which lists and identifies all "bad" smart cards, and/or updating a 
file containing the current interest rate to be paid to specific smart cards. "Bad" smart cards may include de- 

40 fective, failed, stolen, "foreign" (non-system) and/or counterfeit smart cards. A specially-designated adminis- 
trative smart card may t>e used to perform the aforementtoned administrative function, in conjunction with a 
card reader and a computer. This administrative card contains the hardware and data structures of FIG. 1. All 
software is executable on conventional personal computers, and/or on smart card reader software platforms 
which contain processing devices. 

45 Some of the software used by the smart card money transfer system can reside on the smart cards 102. 

1 04. If desired, this software can be placed into a ROM device on the smart card. For example, three programs 
may advantageously be placed onto the smart cards 102, 104. The first such program is a routine entitled 
EXCH.INI and provides the data structures and functions necessary to implement financial transactions. This 
program also enables the smart cards to receive electronic security keys and interest payments. This execu- 

50 table program preferably reskJes on all user smart cards, including bank center smart cards. 

The second program which may reside on the smart cards 102, 104 is entitled INT.EXE. and provMes the 
data structures and functions necessary to update electronic security keys. The program also implements the 
process of giving interest to another bank snnart card or to a user smart card such as a card held by a merchant 
or a consumer. The third routine which may be placed on a smart card is entitled issue.exe, and permits an 

ss administrative smart card to issue a bank or user smart card. 

The smart card mon y transfer system (FIG. 1 ) performs financial transactions which involve, for example, 
the transferring of money from one card to another. However, nrK)ney is only "created" using a specially-des- 
ignated bank center smart card having hardware and data structures as shown in FIG. 1. The "creation" of 

5 
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™„., in case, P.. '^;^^J,X::'Z.^Z'^^'^^ 

card reader network 106. . ^ . , , ^i^^rrhir^i structure For example, the top level Includes one 

security keys. In addition to the security Keys, propn y concept. Practically speaking, irres- 

to provide an enhanced level of securrty. However, ^'^'^'^^^^^ invulnerable security sys- 

.p^lcMon ke/s .« SK«<1 » runwical values ,n »«an "'^'"t „~,T!Ston ka, i. upd.lcl. Two ..alU 
aoUon wKh . bank <»nla. «i»B cart, tt>a n.i">"<f ^^L^Ii ,~ !S?n -S,. w^^^ keys sk>»d 

i, . bank c.nKr snwt cart ar. updated frem tiim »ti™.w«^ 

b tn™. month,. How««,. thl. nun*« o«, be cb.naed to ^'J *° ~t,r»^„„, « ,L for whk* «- 

BER. This file ap«=lfles nomedol «*»• """""J"? Jl^rlS. .EXX^ 

"•3r:S:.«ca*m,«to,n.>^n..««=es^..W 
atl.aat,wold,n.k=alapplk.t,onk^^«^cart102^^^^ 

smart card 104 contains application keys of 51 52, 53, ana s*. in y application keys of 

mented. due to the presence of two identical keys - namely, 51 55 56 and 57. 

•„rir^^^t,^r^.=jcs 

10 appllealion kay update.. Bank ^•'"'■^."r^V^,^^,^Z^^W<» 600 bad carts, 

.mrt, mentioned abo« may be 8K '^'^Z'°^^,TJt^^^l«^>«-^ 
^,rr^Srr;Srn;rbarrr:a„1artcanma„a,aa,mupo,»^ 

'™SaCn9 a „oop o, 6000 use, sma« carts ,0t 104 " J^^^^^ 

^*s^rr,s'r;.^roS;rsrj;:;;»^3ra3t 
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sumption holds true, then only four bytes (the last four digits) of the account numbers need to be stored at the 
bank branch level. 

Techniques for managing bad smart cards are important, because the effectiveness of these techniques 
can determine the overall profitability or loss of a given smart card system. If smart card system operators are 

5 careless, and if inadequate bad card management techniques are employed, the operator may end up losing 
more money per customer than it is possible to recover. 

After the keys on a bad card expire, the card can be rennoved from the bad card list. Therefore, a bank 
branch card can store 1200 bad card numbers and manage a group of 24,000 user cards, assuming that only 
5% of the user smart cards are on the bad card list at any one time. 

10 If no more than 1 0% of the user smart cards corresponding to a particular bank branch will ever be stolen, 

then the next hierarchical level (say the "bank region") would be able to handle 6,000 bank branch smart cards. 
The total number of customers in this scenario can thus be 144 MILLION. Because it may be desirable to pro- 
vide larger total system capacity, another hierarchical level may be used, termed "bank center". The bank cen- 
ter smart card 1 03 can handle up to 6,000 bank region cards, and thus provide plenty of total system capacity. 

15 With respect to smart card update time, assume that it takes 10 seconds (maximum) to update a.smart 

card. Further assume that 24,000 people want to update their keys in that one hour. The system must have 
the equivalent of 24 bank branch smart cards working full time. If the bank branch smart cards are duplicated, 
each of these cards is issued a different account number so that the generation process can be perfomried 
and managed by a smart card. A given smart card account number should never be issued more than once. 

20 Therefore, taking this reduction into account, the maximum number of user smart cards 102, 104 in a region 
is 6 million. Because the bank branch cards can be assigned update times, bank region cards need not be 
duplicated. 

All security keys are generated by a bank center smart card which has the structure of smart card 102 
and further includes a random number generator. The security key storage register of the bank center smart 

25 card is loaded with the security keys necessary to generate and update all other smart cards. After the original 
card issuing process, this is how security key updates proceed. A command is sent to the bank center card to 
update its date and security keys. The bank center card generates a new security key using its random number 
generator and updates a first application key corresponding to this new security key and increments the 
KEY_NUMBER file. The KEY_NUMBER file is updated with a new date. A new interest rate can also be loaded 

30 into the bank center smart card at this time. 

After the bank center smart card updates its security keys, it has scheduled transactions with all of the 
bank region smart cards in order to update their security keys. The bank region smart cards then update the 
bank branch smart cards. And finally the bank smart branch cards update the usersnnart cards. 

In general, money can only be added to one smart card when It is taken away from another smart card. 

35 The exception to this is the bank center smart card. A bank center card key exists which contains key values 
matching the application key values stored in the bank center smart card. Whoever holds this key can create 
money by updating this card's balance file. This person cannot read the application keys on the bank center 
card. To get this money down the pyramid of cards from the bank center smart card to the user smart cards 
102.104, a bank region cardholder would request a transfer of say $1 million card dollars in exchange for a 

40 like transfer of money in another fonm. Approval is given by the bank center cardholder typing in the correct 
key (most likely a different key than that used to create money). This money goes down the pyramid of cards 
until it reaches the cardholders themselves. If the application is growing, then the flow of card money should 
be down and the flow of other money should be up. For example, in a card money exchange involving two 
smart cards, smart cand 1 02 and smart card 104. the cards smart card 102 and smart card 104 may be any of 

45 the cards specified in FIG. 2. For a given pair of cards smart card 102 and smart card 104. FIG. 2 describes 
the nature of the financial transaction which may take place. 

Financial transaction flow will now be described. These transactions are capable of being performed over 
a remote link. The transactions always take place between two cards. Smart card readers and PC software 
serve merely to connect the cards and provide user input. A conventional smart card reader is used at both 

so ends of the link, each sender having a keypad for PIN or key input (similar to an ATM or Telephone Adapter 
with small keypad). These readers are well-known to those skilled in the art.-^ 

The financial transaction proceeds as indicated in FIG. 3. First, in block 301, smart card 102 (a first smart 
card) is inserted into first smart card reader port 141 (a first smart card reader). Next, the cardholder corre- 
sponding to the first smart card smart card 1 02 dials the telephone number (if the reader indud s a Telephone 

55 Adapter) or chooses the correct menu item (if using an ATM or PC-based card reader) to dial up a host computer 
and/or another telephone adapter. This causes a connectton to be made to either a host computer or another 
Tel phone Adapter (block 302). 

At block 303, a second smart card, smart card 1 04, is inserted into second smart card reader port 143 (a 

7 



BNSOOCIO: <eP 0668S79A2_I.> 



EP 0 668 579 A2 



10 



15 



,ec,nd=™«c.rt«a<,.r)Then,™r,o»-102-.c.Mh«d».n»,»-EXCH.«.quh,..«code»,»the,e,d„ 

transaction. This information may include: 
a. Credit/Debit/Interest 
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a. Credit/Debit/Interest 

b Amount of Money to be Transferred 

c. Card PIN or Security Key Numerical Value transaction 
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20 


Financial Transaction 


First Reader 




Smart card 102 sends card money to smart card 104 
Smart card 102 receives card money from smart card 104 


Second smart card reader port 143 
First smart card reader port 141 


25 


Smart card 102 receives interest and security keys from 
smart card 104 


First smart card reader port 141 


30 


Smart card 102 sends interest and security keys to smart 
card 104 — 


Second smart card reader port 143 



ThefdlowingsectionsdetaUthefirstandlastfinanc^uran^-^^^^^^ 

two financial transactions are the same -"^J^^^^^^^^ ^^^.^ 

FIGS. 4A and 4B describe the steps of a <^'<^^'^'-^'^^°r^^^ for card 2 and is the card 
card 1 and is the card of the person .spend.g«je ^^^^^j::^^::^::^,, p.n . verified (this 

of the person "receiving the nroney". At block 4ui, ™' ^ = TRANS file). Next, smart 

verification substep is optional ^'transactions l«ss;'\";" ^^^^ ) (block 402). At block 

card 104 is inserted and PIN verified (this venfK^ation ^"''^t^P ^"f ' ^^^^^^ described previ- 

403. second smart card reader port 143 executes ^"'^.^^ ^^^^f^^^^ the security 

sr^mrrt^sr^^^^^^^ 
^•-pirTtra^srer^^^^^^^^ 

specifying debit, amount (A1) and ^-^^^ 104 number ^ J^^^^^ ,^ ^^^^ 

equal to smart card 104's first, second, or thn^ securrty keys, it ^ ^ ^04. and 

and smart card 1 04 match, then smart card 102 cannot work^^^^^^ 

smart card 102 aborts the transactton and "P^ate^ t^^ eaC?7lSer port lS^ Second smart card reader port 
card reader port 141 sends a ^-^^^^^^^oJ t"^ key beS^i^s the first security key (APPKEYO. 

143 sends the key number response to smart ^^-^^^J: ' "^^ ^ ^02 continues response with packet 1 
or AKO for short) for the rest of the transactK,n (block ^^1^^^°"^ ^ smart card 1 02 also updates 
(PI) encrypted in APPKEYO (AKO). This acts as smart card reader 

it PASSBOOK file (block 408). First smart card reader P^'J* ,?S° ^^^^^^ This is the response to 

port 143 (block 409). smart card 104 responds with P^*^* f /.'l^) ^"^^^^^ has been changed 

The challenge and smart card 102 checks ^^^^ 104 also updates 

-?.s;?;?cifi;is.-^^^^ 
?:raSsra*c::i^^^^^^^ 
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to first smart card reader port 141 (block 413). Smart card 102 debits the amount from the card balance and 
updates the PASSBOOK file (block 414). Smart card 102 responds with packet 4 (P4) encrypted in AK1 . This 
is the response to the challenge and smart card 104 checks to make sure that the third field (credit amount) 
has been changed from P3 to P4 and is a valid field (contains the correct credit code which is different from 
5 the debit code and contains the same amount as in PS). If these fields are not correct, the BAD^KEY file gets 
updated (block 415). First smart card reader port 141 sends this packet second smart card reader port 143 
(block 416). Smart card 104 credits the amount to its card balance and updates the PASSBOOK file (block 
417). 

Security key update and interest transactions will be described with reference to FIGs. 5Aand 5B. These 
10 are transactions between a user card and a bank branch card (or equlvalently the branch and region card or 
the region and center card). The following describes the steps of a cardholder-to-bank-branch transaction. 
Smart card 102 stands for card 1 and is the card of the person "spending the money", in this case the bank 
branch. Smart card 104 stands for card 2 and is the card of the person "receiving the money", in this case the 
cardholder. Somewhere during this transaction the PASSBOOK file of smart card 104 needs to be read, stored 
15 and cleared. 

Block 501: smart card 102 inserted and Verify PIN. This step is the equivalent of someone at the bank 
"loading" the bank branch card into a card reader. Block 502: smart card 104 inserted and Verify PIN. This 
step assures that the proper cardholder still has the card and is similar to using your current card at an ATM 
(you can be photographed to later prove that it was you). Block 503: second snnart card reader port 143 exe- 

20 cutes smart card 104*s C_EXCH. EXE with argument 2 (receive interest). Smart card 104 responds with the 
key number of Its APPKEYO (0 to 255). Block 504: second smart card reader port 143 sends the key number 
to first smart card reader port 141. Block 505: first smart card reader port 141 executes smart card 102*s 
CJNT.EXE with argument 3 (give Interest) and smart card 104's key number. Smart card 102 responds with 
a key number equal to smart card 104*s APPKEYO, APPKEY1 or APPKEY2. If smart card 102 cannot work 

25 with the proposed key set, then it aborts the transaction and sets up an expired key file transaction. Block 
506: first smart card reader port 141 sends response to second smart card reader port 143. Block 507: second 
smart card reader port 143 sends the key number response to smart card 1 04. This key becomes APPKEYO 
for the rest of the transaction. Block 508: smart card 1 02 continues response with packet 1 (PI) encrypted In 
APPKEYO (AKO). This acts as a challenge to smart card 104. Smart card 102 also updates its PASSBOOK 

30 file. Block 509: first smart card reader port 141 sends this packet to second smart card reader port 143. Block 
510: smart card 104 responds with packet 2 (P2) encrypted in AKO. This is the response to the challenge and 
smart card 1 02 checks to make sure that the third field (public name) has been changed from P1 and is a valid 
name (contains only ASCII characters in a certain range). Smart card 104 also updates its PASSBOOK file. 
Block 511 : second smart card reader port 143 sends this packet to first smart card reader port 141 . Block 512: 

35 smart card 1 04 continues response with packet 5 (P5) encrypted In APPKEY1 (AK1 ). This acts as a challenge 
to smart card 102. Block 513: second smart card reader port 143 sends this packet to first smart card reader 
port 141. Block 514: smart card 102 checks to make sure that the third field (balance)has a valid checksum 
and a logical date and Interest rate. It also checks the fourth field (account number) versus its BAD_CARD 
file. (If it finds the number In the BAD_CARD file it initiates an invalidate card transactton.) Using its date file. 

40 it calculates the anK>unt of interest to credit to snnart card 1 04, debits the amount from smart card 1 02*s card 
balance and updates its PASSBOOK file. Smart card 1 02 also looks to see if smart card 1 04 needs a new key 
and. if so, supplies one in P6. Block 515: smart card 102 responds with packet 6 (P6) encrypted in AK1. This 
is the response to the challenge, and smart card 104 checks to make sure that the third through fifth fields 
have been changed from P5 and are valid. Block 516: first smart card reader port 141 sends this packet to 

45 second smart card reader port 143. Block 51 7: smart card 1 04 credits the amount to its card balance, changes 
the date and updates the interest rate if necessary. If a new key is included in the fifth field, it updates its ap- 
pllcatton keys by replacing the oldest (APPKEYO) with the new one and incrementing the number in the 
KEY_NUMBER file. It also updates the PASSBOOK file. 

The data packets shown in FIG. 6 may be transferred from a first smart card to a second smart card during 

so a financial transactton. Packet 1 contains the following fields and information: Field 601 : Random Number. The 
first field is an eight byte raiKjom'^umlg^r generated by snnart card 102. Field 602: Applrcatk)n Number. The 
second field is the eight byte application ID number that is the same for all cardholder cards. Field 603: Public 
Name. The third field is an eight byte ASCII name of cardholder smart card 102. Field 604: Account Number 
or SIgnatur . The fourth field is either an eight byte signature of the first three fields generated by smart card 

55 102 using the card's APPKEYO or just smart card 102's account number if privacy is not desired. These four 
fields are mixed (two bytes at a time from each field) and encrypted in an APPKEYO and sent from smart card 
102 to smart card 104. 

Packet 2 contains the following fields and information: Field 611: Random Number. The first field is the 
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eight byte «ndom number that was generated by smart card -^^^^^^^ 
caLnNumber.Thesecondfieldistheeightbj^eap^^^^^^^^ 

Field 613: Public Name. The third field is an eigh byte ^^C" name ot e fields generated 

AcoountNumberorSignature.Thefourthfield ise. her^^^^^^^^ ,^3,,, 

-ta^trj;^::™^ 

eight byte random number that f '",^;'3?;^^ Field 623: Debit Amount. 

10 field is the eight byte application ID number that is pield 624: Account Number or 

The third field is the amount to be debited from smart J s ba anoe n^e P e 

Signature. The fourth field is either -"/'^ht by^. s-gnaU.^^^^^^^^ These four fields 

- '°Tar:i^..nsthefollowingfie.dsa.._ 

eight byte random number that was generated by smart ca d J^^^^ J«^^;3,,g3a^eforall cardholder cards, 
cation Number. The secondfield is the eight byteapphcat^nlDn^ber^ balance file. Field 

sent from smart card 102 to smart card 104. Random Number. The first field is the 

Packet 5 contains the following fields '"^"""^^'^"^^'t J,^^^^ Field 642: Appli- 

eight byte random number that was generated by smart ca^ ^^^be^tha^'herameforall cardholder cards, 
cation Number. The secondfield is theeightbyteapplicatonlD^^^^^^ 

Field 643: Balance. The third field contains smart card 104 s generated 

count Number or Signature. Thefourth field is - ^^^^^^^l^^"^^^^^^^^ is notdesired. 

bysmartcard104usingthecardskeyO(AKO)orjustsmart.^^ 

These four fields are mixed into 6 groups of 8 bytes and encrypted in an apcw=tu a 

104 to snfwrt card 102. . D-pHo-, Number. The first field is the 

Packet 6 contains the following f ields 5. Field 652: Appli- 

e-ight byte random number that was generated by ^^.^^'^l^l^^^ cardholder cards, 

cation Number. Thesecondfield is theeightbyteapph««t»nlDn^^^ 

Field 653: Credit Amount. The third field is the amount to *° BALANCE file. Field 655: 

and encrypted in an APPKEY1 and sent from ^J'f"''''f^^^^^'^^G^ 7. Each user card contains 

.efr^f^rc^rTrM^E^^^^^^ 
-;rNc^E=y^^^^^^^^^ 

« date interest was logged, the serial number of the currency and ^^'^Jf/^.^^^^^^^ ,„^ency of the 
is 4 bytes long with 6 bits of each byte used to store value and ^ ^'ts "sed as^^^ 4 bytes long with 2 

balan'iis 1 Syte long with a different code for each S^^^^^^^ '^^^^^ 

rrenTy?4^.S^J?^ 

^pT^EYO 704 through APPKEY3 707. These ^i'- --'^^^^^^^ S 
PASSBOOK708.Thisfi.econtainstheauditt..« 

long and a total of 50 entries can be stored. Ea<J ^^^JV '"^^ Jf J^^^^^ bytes), the random number gen- 
signature if privacy is desired) (8 bytes), the public "^"^^f ^jTor dS interest (1 byte), the transaction 
erated by the other card (8 bytes), the date If known (4 b5^es| c^^^^ 

amount (3 bytes) and the new account balance (4 bytes). The total size or tnis rue 
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downloaded to the bank on valid bank transactions unless privacy is desired. If larger files are needed former- 
chant user cards, 8K cards can be provided and the PASSBOOK file can be greatly expanded. 

KEYJNFO 709. This file stores the current APPKEY number and the last date that the keys were updated 
by the bank. It is 5 bytes (1 for the number and 4 for the date) long. BAD_KEY 710. This file stores the number 
5 of bad key attempts and Is 2 bytes long. It gets reset after a valid bank transaction. When this number reaches 
a set limit, the card is locked. MIN_TRANS 711 . This file stores the transaction amount above which a PIN is 
required. This file is 3 bytes long. MAX_TRANS 712. This file stores the transaction amount above which a 
key is required. This file is 4 bytes long. RANDOM_NUMBER 71 3. This file contains the random number seed 
to ensure that the numbers are not repeated in any predictable pattern. If the executable file is 700 bytes long 
10 (the same as TCAs)« the total space needed on the card would be about 2,700 bytes. 

In addition to the files described above in connection with FIG. 7, each bank smart card contains the fol- 
lowing additional files also set forth in FIG. 7: BAD_CARD 801 . This file stores a list of 4-byte account numbers 
that are bad cards. It can store a total of 1 .200 numbers for a total file size of 4,800 bytes. VALID ACCOUNT 
802. This file stores the highest and lowest valid account numbers for cards that can receive key updates. It 
15 is 32 bytes long. C_INT.EXE 803. This executable file enables the card to give interest and update keys. IN- 
TEREST 804, This tile stores the daily interest rate and is 4 bytes long. 

With respect to system fraud and fraud prevention. If the smart card system operator has money, defraud- 
ers will exist. Defrauders are people who would like to take some of the system operator's money away. Pos- 
sible methods of attack and countenmeasures will now be described. ATTACK #1 . Trying to put money on one 
20 card without taking money from another card. To do this, a packet of data must be sent to the card, containing 
the correct information for a credit There are three possible means of attack: A. Replay attacks, which will not 
work because each packet contains a unique random number. The system operator must make sure that each 
card starts with a different random number seed and cannot be reset to Its original seed In any way. Since 
none of the random numbers are ever sent in clear text, this offers some protection. B. Random attempts at 
25 sending packets to the card, which will not work because, after so many guesses, the BAD_KEY file will cause 
the card to lock: This is really the equivalent of trying to guess the key. C. Direct key attack. Under the imple- 
mentation described above, the def rauder would get a good packet and try to decrypt it with random keys until 
getting a valid application number. This takes an average of two decryptions per packet and 2'^63 different 
keys for expected success or 584 years at 1 billion encryptions per second. This is directly related to the se- 
30 curity of DES and is what security is based on. Double encryption may be used in risk-prone environments at 
the expense of slowing the transaction and attack times down. 

ATTACK #2. Stealing a valid card. All cards are protected by PINs for snnall transactions and can be key 
protected for larger transactions. The thief could use the card for transactions under the MIN_TRANS file limit, 
but the next time interest/key update occurred, the card would be invalidated. The invalidation process could 
35 also happen at point of sale terminals for large purchases if there was fear about PINs or keys being stolen 
from the cardholder. If the thief attempts to convert the card money into cash (buying cash rather than goods) 
perhaps by trading with another cardholder), then the thief must have the PIN or key or be limited by the number 
of transacttons stored in the PASSBOOK file (50). Therefore, if the user does not lose their PIN, the maximum 
expected loss is $250 (if the MIN.TRANS file is set at $5 and no transactions are stored in the PASSBOOK 
40 file). This loss can be sent to zero by reducing the number in the MIN.TRANS file to zero. If the PIN is lost, 
then the amount at risk is potentially 50 times the MAX_TRANS file or the amount stored on the card. IF MAX- 
_TRANS is set at $100. then potentially $5K is at risk. Thus this card is more like cash than a normal credit 
card and needs to be treated more carefully than a normal credit card. 

It is to be understood that the above-described embodiments are merely illustrative pirinciples of the in- 
45 vention and that many variations may be devised by those skilled in the art without departing from the scope 
of the invention. It is therefore intended that such variations be included within the scope of the following claims. 

Claims ^ 

50 

1v Amethod for performing financial transactions^ characterized by the following steps: - 

(a) storing an electronic representatton of a monetary value on a plurality of smart cards including at 
least a first smart card and a second smart card; 

(b) equipping at least one of the first and second smart cards with an electronic security lock for pre- 
ss viding system security, the security lock having a locked state such that the smart card is disabled from 

participating in at least one financial transactbn, and an unlocked state such that the smart card may 
participate in at least one financial transaction; 

(c) equipping the first smart card with a first security key and the second smart card with a second 
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(d) «ng the first security key and the second security key to generate a match signal , the f .rst 
lecry k y matches the second security key. and to g n rate a no-match s.gnal..f ^^l^ll^^^^;^ 
key does not match the second security key, the electronic security lock be.ng responsive to the ma ch 
5 signal to enter the unlocked state, and the electronic security lock be.ng responsive to the no-match 

signal to enter the locked state. 

2 A method for performing financial transactions as set forth in Claim 1 further characterized in that the 
financial transactions include transferring an electronic representatton of a monetary value from the f .rst 
10 smart card to the second smart card. 

3. A method for performing financial transactions as set forth in Claim 1 further characterized in that the 
financial transactions include one or more of the following: . - ^ 

(i) electronically transferring money from a bank to any one of the plural.ty of smart cards 
« ii) electronically transferring money from any one of the plurality of smart ^rds to a bank. 

ill) electronically transferring money from the first smart card to the second smart ^rd, 
iv) electronically transferring money from the second smart card to the f .rst smart card, 
S ctSTsLrt card balance including the amount of money electronically stored on any one of 
the plurality of smart cards; and 
20 <vi) adding an interest payment to the smart card balance. 

4 A method for performing financial transactions as set forth in Claim 1 ^^^her characterized in that the 
U^X smart card includes a first plurality of security keys and ^^-^!^^-^^^^^ ^ftnes of "e fi^t 
plurality of security keys, the comparison step generating a match signal if a plural.ty of ones of the first 
25 plurality of security keys match a plurality of ones of the second security keys. 

5. An apparatus for performing secure financial transactions characterized by: 

a) a first smart card including: » . „ ^* „ „.„,«tarw »/niii<.- and 

i) monetary value storage means for storing an electronic representahon of a monetary value, and 

ii) security key storage means for storing a first electrons secunty key; 

b) a second smart card including: .,,,.notar« «fliue- and 

i) monetary value storage means forstoring an electronic representahon of a monetary value, and 

ii) security key storage means for storing a second electronic secunty key; 
the first and second smart cards each further including: ..u o^^r^nw 

Hi) security key comparison means for comparing the first electronic secunty key with the ^eco-Kl 
electronic se<irity k^. the comparison means producing a match signal ,f the ^ '^t ^"'^^^ 
curity key matchesthesecondelectronicsecuritykey.thecomparison means producmgan^^^^ 

signal if L first electronic security key does not match the second -^^^^^^^J^^i^^^^"^,^ 
iv) electronic security lock means coupled to the security key oompanson means for ena"^9 
smart card to participate in a financial transaction in response to a match signal for *«abl.ng 
the smart card from partteipating in a financial transaction in response to a no-match signal. 

An apparatus for perfomiing secure financial transactions as set forth in Claim 5 further ';haracteriz«l 
in that the first smart card security key storage means includes means for ^J'^* ^^^^^ 

tionic security keys and the second smart cart includes secunty key storage means for storing a second 

plurality of electronic security keys; „„„fooiHfi«tniiiraiitvof elec- 

the security key comparison means being adapted to compare any one of said f .rst plurality of elec 
tronic security keys with any one of saw second plurality of electronic secunty keys; . ,^ , , 

"e" mpaLn means producing a match signal if a plurality of o"f « P'^T^'I^^^.^!!^ 
tronic security keys matches a plurality of ones of said second pluralrty of electronic secunty keys and 

t^^parilnml^ 

TcS; keys do not ma^ a plurality of ones of said second plurality of electron.c secunty keys. 

An aooaratus for performing financial transactions as set forth in Oaim 5 further characterized by: 

' (JfS^art c?rS and write means for reading datafrom and writing <^^l^l*^^'^'^^"^^^ 
Ssei^smart card read and write means for reading data from and writing data to the second smart 

S^mlnk^tions link means connected to the first smart card read and write means and thesecond 
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smart card read and write means for exchanging data between the first smart card and the second 
smart card. 

An apparatus for performing financial transactions as set forth in Claim 7 further characterized in that 
the data includes at least one security key. 

An apparatus for performing financial transactions as set forth in Claim 5 further characterized by: 
(a) a third smart card; 

<b) first smart card read and write means for reading data from and writing data to at least one of the 
first smart card, the second smart card, and the third smart card; 

(c) second smart card read and write means for reading data from and writing data to at least one of 
the first smart card, the second smart card, and the third smart card; and 

(d) communications link means connected to the first smart card read and write means and the second 
smart card read and write means for exchanging data between any of the first smart card, the second 
smart card, and the third smart card. 

An apparatus for performing financial transactions as set forth in Claim 9 further characterized in that 
the first smart card is a bank center smart card, the second smart card is a merchant smart card, and the 
third smart card is a customer smart card, the data including financial transaction data and one. or more 
security keys, the financial transaction data specifying financial parameters Including a quantity of elec- 
tronic money and/or an interest rate, 

the financial transactions including one or more of the following: 
(I) transferring money from a bank center to any one of the first second, and third smart cards, 
(ri) transferring money from any one of the first, second, and third smart cards to a bank center, 

(iii) transferring money between any of the first, second, and third smart cards, 

(iv) checking a smart card balance Including the amount of money stored on any one of the first, second, 
and third smart cards, and 

(v) adding an interest payment to the smart card balance. 

A smart card for performing secure financial transactions and characterized by: 

a) monetary value storage means for storing an electronic representation of a monetary value; 

b) security key storage means for storing a first electronic security key; 

c) security key comparison means for receiving a second electronic security key and for comparing the 
first electronic security key with the second electronic security key, the comparison means producing 
a matoh signal if the first electronic security key matohes the second electronic security key, and the 
comparison means producing a no-matoh signal if the first electronic security key does not match the 
second electronic security key; and 

d) electronic security lock means coupled to the comparison means for enabling the smart card to par- 
ticipate in a financial transaction in response to a match signal and for disabling the smart card from 
participating in a financial transaction in response to a no-match signal. 
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FIG. 2 



SMART CARD 102 
(FIG. 1 ) 


SMART CARD 104 
(FIG. 1 ) 


DESCRIPnON 


USER SMART 
CARD 


USER SMART 
CARD 


USERS EXCHANGE CARD MONEY IN 
EXCHANGE FOR GOODS OR SERVICES 
OR OTHER MONEY. 


USER SMART 
CARD 


BANK BRANCH 
SMART CARD 


USER GIVES BRANCH CARD MONEY IN 
EXCHANGE FOR OTHER MONEY. 


BANK BRANCH 
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USER SMART 
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BRANCH ADOS CARD MONEY TO USER 
IN EXCHANGE FOR OTHER MONEY. 


BANK BRANCH 
SMART CARD 


BANK REGION 
SMART CARD 


BRANCH GIVES REGION CARD MONEY 
IN EXCHANGE FOR OTHER MONEY. 


BANK REGION 
SMART CARD 


BANK BRANCH 
SMART CARD 


REGION ADDS CARD MONEY TO BRANCH 
IN EXCHANGE FOR OTHER MONEY. 


BANK REGION 
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REGION GIVES CENTER CARD MONEY 
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IN EXCHANGE FOR OTHER MONEY. 
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FIG, 3 



SMART CARD 102 IS INSERTED INTO RRST SMART CARD 

READER PORT 141 (HG. 1) 

. 



CARDHOLDER OF SMART CARD 102 DIALS THE CORRECT NUMBER 
(IF COMMUNICATIONS UNK 150 EMPLOYS A TELEPHONE ADAPTER) 
OR CARDHOLDER CHOOSES THE CORRECT MENU ITEM (IF 
COMMUNICAnONS UNK 150 EMPLOYS AN ATM OR PC). THIS CAUSES A 
CONNECTION TO BE MADE TO EHHER A HOST OR ANOTHER TELEPHONE 
ADAPTER (WHICH MEANS THE TELEPHONE ADAPTER SHOULD BE ABLE TO 

TALK TO nSELF. UKE A FAX MACHINE). 

^ 



SMART CARD 104 IS INSERTED INTO SECOND SMART CARD READER 

PORT 1 43 



CARDHOLDER OF SMART CARD 102 ENTERS 'EXCH' OR 



EQUIVALENT CO^ INTO KEYPAD. 



RRST SMART CARD READER PORT 141 PROMPTS FOR INFORMATION 
NEEDED TO COMPLETE FINANCIAL TRANSACTION. 
0. CREDH/DEBIT/INTEREST 
b. AMOUNT OF MONEY TO BE TRANSFERRED 

c. CARD PIN OR KEY 

T 



RRST SMART CARD READER PORT 141 SENDS A DATA PACKET 
(SEE FIG. 6) TO SECOND SMART CARD READER PORT 143 
DETAIQNG nNANOAL TRANSACTION. 



SECOND SMART CARD READER PORT 143 PROMPTS CARDHOLDER W 
SMART CARD 104 FOR INFORMATION NEEDED TO COMPLHE RNANCUL 

TRANSACnON. 
a. CREDH/DEBIT/INTEREST 
b. AMOUNT OF MONEY TO BE TRANSFERRED 

c. CARD PIN OR KEY 



SECOND SMART CARD READER PORT 143 SENDS DATA PACKET 
(SEE FIG. 6) DETAIUNG nNANCIAL.TRANSACnON.JO FIRST 
SMART CA RD READER PORT 141. 



IF THE DATA PACKETS OF BLOCKS 308 AND 306 AGREE, THEN A 
SMART CARD READER PORT 141 OR 143 BEGINS THE TRANSACTION 
BY SENDING A SECURITY KEY NUMBER. 
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FIG, 4A 



SMART CARD 102 INSERTED INTO RRST SMART CARD READER PORT 141 
AND PIN VERIHED (THIS STEP IS OPTONAL FOR TRANSACTIONS LESS 
THAN AMOUNT STORED IN MIN_TRAHS niE). 



I 



SMART CARD 104 INSERTED INTO SECOND SMART CARD READER PORT 143 
AND PIN VERinED (THIS STEP^S OPnONAL FOR ALL CASES). 



SECOND SMART CARD READER PORT 143 EXECUTES SMART CARD 104's C_EXCH.EXE 
WITH ARGUMENT 1 (CREDIT) AND AMOUNT (A1). SMART CARD 104 RESPONDS 
WITH THE KEY NUMBER OF ITS APPKEYO (0 TO 255) (SEE RG. 7). 



SECOND SMART CARD READER 143 SE^S THIS KEY NUMBER TO HRST SMART 
CARD READER PORT 141. 



I 



RRST SMART CARD READER PORT 141 EXECUTES SMART CARD 102'$ C_EXCH.EXE 
WITH ARGUMENT 0 (DEBIT). AMOUNT (A1) AND SMART CARD 104's KEY NUMBER. 
SMART CARD 102 RESPONDS WITH A KEY NUMBER EQUAL TO SMART CARD 104's 

APPKEYO, APPKEY1 OR APPKEY2 (SEE nC. 7). IF SMART CARD 102 CANNOT 
WORK WITH THE PROPOSED KEY SET OF SMART CARD 104 THEN H ABORTS THE 
TRANSACTION AND UPDATES nS BAD_KEY FILE. 



I 



HRST SMART CARD READER PORT 141 SENDS RESPONSE TO SECOND SMART 
CARD READER PORT 143. 



I 



SECOND SMART CARD READER PORT 143 SENDS THE KEY NUMBER RESPONSE TO 
SMART CARD 104. THIS KEY BECOMES APPKEYO FOR THE REST OF THE THANSACnON. 



SMART CARD 102 CONHNUES RESPONSE WITH PACKET 1 (PI) (HG. 6) ENCRYPTED 
IN APPKEYO (AKO). THIS ACTS AS A CHALLENGE TO SMART CARD 104. SMART 
CARD 102 ALSO UPDATES ITS PASSBOOK HLI. 

I 



HRST SMART CARD READER PORT 141 SENDS THIS PACKET TO SECOND 
SMART CARD READER PORT 143. 



SMART CARD 104 RESPONDS WITH PACKET 2 (P2) (HG. 6) ENCRYPTED IN AKO. 
THIS IS THE RESPONSE TO THE CHALLENGE AND SMART CARD 102 CHECKS TO MAKE 
SURE THAT THE THIRD HELD (PUBUC NAME) HAS BEEN CHANGED FROM PI AND IS 
A VAUD NAME (CONTAINS ONLY ASCII CHARACTERS IN A CERTAIN RANGE). SMART 
CARD 104 ALSO UPDATES nS PASSBOOK, FILE. 



I 



SECOND SMART CARD READER PORT 143 SENDS THIS PACKET TO RRST SMART 
CARD READER PORT 141. 



TO HG. 4B 
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FIG. 4B 



FROM nC. 4A 

T 



1 



SMART CARD 104 CONHNUES RESPONS E WHH PACKO 3 (P3) (RG. 6J ENCKTPILU 
IN APPKEY1 m\ THIS ACTS AS A CHALLENGE TO SMART CARD 102. 



SECOND SMART CARD READER PORT U3 SENDS THIS PACKET TO HRST SMART 

CARD READER PORT 141. 



412 



■413 



414 



•415 



T 



SMART CARD 102 DEBHS THE AMOUNT FROM THE CARD BALANCE AND 
UPD ATES THE jASSBOQK ALL 



SMART CARD 102 RESPONDS WHH PAC KET 4 (P4) (FIG. 6) ENCRYPTED IN AM. 
THIS IS THE RESPONSE TO THE CHALIINGE AND SMART CARD 104 CHECKS TO 
MAKE SURE THAT THE THIRD HELD (CREOn AMOUNT) HAS BEEN CHANGED FROM 
P3 TO P4 AND IS A VAUD HELD (CONTAINS THE CORRECT CREOn CODE WHICH 

IS DIFFERENT FROM THE DEBIT CODE AND CONTAINS THE SAME AMOUNT AS 
IN P3). IF THESE HELPS ARE NOT CORRECT. THE BAD.KEY HLE GETS UPDATED. 



HRST SMART CARD READER PORT 141 SENDS PACKET P4 TO SECOND SMART 

CARD RFAnrR PORT 143. 



■416 



417 



SMART CARD 104 CREDnS THE AMOUNT TO ITS CARD BALANCE AND UI^UAIt:* 

THE PASSBOOK HLE. 
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FIG, 5A 



INSERT SMART CARD 102 AND VERIFY PIN (PERSONAL lOENHFICATlON 
NUMBER) STORED I^ SMART CARD 102. 



•501 
•502 

•503 
505 

505 



INSERT SMART CARD 104 AND VERIFY PIN, 
i 



SECOND SMART CARD READER PORT 143 EXECUTES SMART CARD 104's C_EXCH.EXE 

WITH ARGUMENT 2 (RECEIVE INTEREST). SMART CARD 104 RESPONDS 
WITH THE KEY NUMBER OF ITS APPKEYO (0 TO 255). 



I 



SECOND SMART CARD READER 143 SENDS THIS KEY NUMBER TO FIRST SMART 

CARD READER PORT 141. 



FIRST SMART CARD READER PORT 141 EXECUTES SMART CARD 102's C_INT.EXE 

WITH ARGUMENT 3 (GIVE INTEREST). AND SMART CARD 104's KEY NUMBER. 
SMART CARD 102 RESPONDS WITH A KEY NUMBER EQUAL TO SMART CARD 104's 
APPKEYO. APPKEY1 OR APPKEY2. IF SMART CARD 102 CANNOT 
. WORK WITH THE PROPOSED KEY SET, THEN IT ABORTS THE 
TRANSACnON AND SETS UP AN EXPIRED KEY HLE TRANSACTION. 



I 



IRST SMART CARD READER PORT 141 SENDS RESPONSE TO SECOND SMART 
CARP REAPER PORT 14?, 



506 
507 

508 
509 

510 



I 



SECOND SMART CARD READER PORT 143 SENDS THE KEY NUMBER RESPONSE TO 
SMART CARD 104. THIS KEY BECOMES APPKEYO FOR THE REST OF THE TRANSACHON. 



I 



SMART CARD 102 CONTINUES RESPONSE WITH PACKET 1 (PI) ENCRYPTED 
IN APPKEYO (AKO). THIS ACTS AS A CHALLINGE TO SMART CARD 104. SMART 
CARD 102 ALSO UPDATES FTS PASSBOOK HLE. 



T 



FIRST SMART CARD READER PORT 141 SENDS THIS PACKET TO SECOND 
SMART CARD READER PORT 143. 



I 



SMART CARD 104 RESPONDS WITH PACKET 2 (P2) ENCRYPTED IN AKO. 

THIS IS THE RESPONSE TO THE CHALLENGE AND SMART CARD 102 CHECKS TO MAKE 
SURE THAT THE THIRD HELD (PUBUC NAME) HAS BEEN CHANGED FROM PI AND IS 
A VAUD NAME (CONTAINS ONLY ASCH CHARACTERS IN A CERTAIN RANGE). SMART 

CARD 104 ALSO UPDATES ITS PASSBOOK FILE. 



I 



SECOND SMART CARD READER PORT 143 SENDS THIS PACKET TO HRST SMART 
CARD READER PORT 141 



511 



TO nc. 5B 
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FIG. 5B 



FROM nC. 5A 

SMART CARD 104 CONTINUES RESPONSE WITH PACKll a 1P5) ENCRYPILU IN 



APPKEY1 (AK1). THIS ACTS AS VCHALHNGE TO SMART CARD 102. 



512 



SECOND SMART CARD READER PORT 143 SENDS THIS PACKtl lU |_y-5i3 
nR ST SMART CARD READER PORT 141. 



SMART CARD 102 CHECKS TO MAKE SURE THAT THE THIRD HELD (BAUNCE) 
HAS A VAQD CHECKSUM AND A LOGICAL DATE AND INTEREST RATE. IT ALSO 
CHECKS THE FOURTH FIELD (ACCOUNT NUMBER) VERSUS HS BAO.CARD RLE 

(IF IT HNDS THE NUMBER IN THE BAO.CARO FILE IT INITIATES AN 
INVAUDATE CARD TRANSACHON). USING ITS DATE RLE n CALCULATES THE 
AMOUNT OF INTEREST TO CREDH TO SMART CARD 104. DEBITS THE AMOUNT 
FROM SMART CARD 102's CARD BAUNCE AND UPDATE HS PASSBOTK FILE. 
SMART CARD 102 ALSO LOOKS TO SEE IF SMART CARD 104 NEEDS A NEW 
KEY AND IF SO SUPPUES ONE IN P6. 



_y^514 



SMART CARD 102 RESPONDS WITH PACKET 6 (P5J ENCRYPTED WJ(1. THIS 
IS THE RESPONSE TO THE CHALLENGE AND SMART CARD 104 CHECKS TO MAKE 
SURE THAT THE THIRD THROUGH HFTH RELDS HAVE BEEN CHANGED FROM 

P5 AND ARE VALID. ^ 



■515 



RRST SMART CARD READER PORT 141 SENDS THIS PACKET TO SECOND SMART 



CARD READER PORT 143. 



_/~516 



— SMART CARD 104 CREDITS THE AMOUNT TO ITS CARD BAUNCE, CHANCES 
THE DATE AND UPDATES THE INTEREST RATE IF NECESSARY. IF A NEW KEY 
IS INCLUDED IN THE FIRH RELD. H UPDATES HS APPUCATION KEYS 
BY REPUCING THE OLDEST (APPKEYO) WITH THE NEW ONE AND INCREMENTING 
THE NUMBER IN THE KEY NUMBER niF. IT ALSO UPDATgS THE PASSBOOK RLE. 



V~517 
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FIG, 6 
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(54) Secure money transfer techniques using smart cards 



(57) Systems and methods for providing secure 
electronic financial transactions characterized in that 
money is electronically stored on a plurality of smart 
cards. A plurality of smart cards are each equipped with 
an electronic security wall having a closed state and an 
open state. In the closed state, the smart card is disa- 
bled from participating in financial transactions, and in 
the open state, the smart card may participate in finan- 
cial transactions. A security key smart card is equipped 
with a first security key for changing the state of the elec- 



tronic security wall from the open state to the closed 
slate, and a second security key for changing the state 
of the electronic security wall from the closed state to 
the open state. Financial transactions include, for exam- 
ple, electronically transferring money between a bank 
center and a smart card; electronically transferring mon- 
ey between the first and second smart cards; checking 
the amount of money stored on a smart card; and adding 
interest to the amount of money stored on the smart 
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